Bug 1817505 - Allowing specific cipher will remove all enabled ciphers if 'default ciphers' is clicked
Summary: Allowing specific cipher will remove all enabled ciphers if 'default ciphers'...
Alias: None
Product: Red Hat Directory Server
Classification: Red Hat
Component: 389-ds-base
Version: 11.2
Hardware: Unspecified
OS: Unspecified
Target Milestone: DS11.3
: dirsrv-11.8
Assignee: Simon Pichugin
QA Contact: LDAP QA Team
Evgenia Martynyuk
Depends On:
TreeView+ depends on / blocked
Reported: 2020-03-26 13:08 UTC by sgouvern
Modified: 2023-11-07 11:48 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
.You can now enable and disable ciphers in Directory Server as expected Previously, when you tried to enable or disable specific ciphers in addition to default ciphers by using the web console, the server enabled or disabled only the specific ciphers and logged an error similar to the following: ---- Security Initialization - SSL alert: Failed to set SSL cipher preference information: invalid ciphers <default,+cipher_name>: format is +cipher1,-cipher2... (Netscape Portable Runtime error 0 - no error) ---- Currently, the network security services (NSS) do not support handling default ciphers and specific ciphers at the same time. As a result, Directory Server can enable or disable either specific ciphers or default ciphers. With this update, when you set the default ciphers, the web console now prompts that *Allow Specific Ciphers* and *Deny Specific Ciphers* fields will be cleared.
Clone Of:
Last Closed: 2023-03-01 16:36:23 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Github 389ds 389-ds-base issues 4962 0 None closed Fix various UI bugs 2023-11-02 00:00:33 UTC

Description sgouvern 2020-03-26 13:08:46 UTC
Description of problem:
On 'Server Settings'/'Security'/'Cipher preferences' tab, allowing a specific cipher will remove all enabled cipher, if 'default ciphers' is selected after that.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Go to 'Server Settings'/'Security'/'Cipher preferences'
2. Select a cipher in 'allow specific ciphers' list
3. click 'Default ciphers'
3. 'Save cipher preferences' 
4. restart the instance
5. Come back to 'Server Settings'/'Security'/'Cipher preferences'

Actual results:
The 'Enabled ciphers' list is empty

Expected results:
Enabled ciphers are default ones plus added allowed specific cipher

Additional info: 
A search of the list of enabled ciphers with dsconf will show : 'List of ciphers is empty'

Comment 1 mreynolds 2020-03-30 14:17:45 UTC
This isn't a problem with the UI or CLI, itis what is reported by NSS.  Moving to different component to investigate as the root cause is not the UI

Comment 6 sgouvern 2021-05-07 07:58:44 UTC
Moving to ITM 14 as it is not yet started

Note You need to log in before you can comment on or make changes to this bug.